Office 365 Moving Emails to Deleted Items
-
@dafyre said in Office 365 Moving Emails to Deleted Items:
e got a strange one... I have a user here whose Emails go from whatever folder they are in to the Deleted Items folder after being read... Sometimes. Sometimes it doesn't happen for several minutes, and other times it happens right away.
The user hasn't been phished that we can tell. No bogus rules in Outlook forwarding things to the deleted items. Check both Web and Outlook 2016.
What am I not looking at that could be causing this?They got hacked though
https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/
https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-accountSometimes the rule is a dot on the name....
-
@dbeato said in Office 365 Moving Emails to Deleted Items:
@dafyre said in Office 365 Moving Emails to Deleted Items:
e got a strange one... I have a user here whose Emails go from whatever folder they are in to the Deleted Items folder after being read... Sometimes. Sometimes it doesn't happen for several minutes, and other times it happens right away.
The user hasn't been phished that we can tell. No bogus rules in Outlook forwarding things to the deleted items. Check both Web and Outlook 2016.
What am I not looking at that could be causing this?They got hacked though
https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/
https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-accountSometimes the rule is a dot on the name....
Yeah, assume that this is a hack. It's almost certain.
-
@scottalanmiller said in Office 365 Moving Emails to Deleted Items:
Outlook might not have the rules, Exchange might. We've seen this a lot and it is caused when users use Outlook rather than OWA and don't know that they have client rules that they normally play with and more important server side rules that Outlook doesn't show you. That's how they get hidden.
I've gone through the rules with both PowerShell from the admin side, and both Outlook and OWA in the User's account side. The only rule that deletes items is working fine.
Pretty commonly it is a "password reset" attack vector, and this is to hide the password reset emails being received.
By this, you mean the rule is hiding "we're attempting to change your password" type emails?
If those emails were set to be permanently deleted, they could still be recovered form the "Recover deleted items" section in the Deleted Items folder. The only thing we're finding there is the messages that have been deleted.
-
@dafyre said in Office 365 Moving Emails to Deleted Items:
By this, you mean the rule is hiding "we're attempting to change your password" type emails?
Precisely
-
@scottalanmiller said in Office 365 Moving Emails to Deleted Items:
@dafyre said in Office 365 Moving Emails to Deleted Items:
By this, you mean the rule is hiding "we're attempting to change your password" type emails?
Precisely
Yeah, we're not finding those anywhere, unless they purge them from the deleted items "Recover deleted items" section... but the telltale sign there would be nothing in the Recover deleted items (but there's plenty of deleted items we need to restore, lol.)
As for the Office 365 Remediation stuff, we've already changed their passwords and such. We're also going live with MFA on Office 365 next week, lol.
-
Just to be safe though, I did turn on User auditing. So we'll see what that reveals in a few hours...
Edit: or not. Apparently, my admin account doesn't have privileges to actually use the audit stuff, lol.
-
@dafyre said in Office 365 Moving Emails to Deleted Items:
Just to be safe though, I did turn on User auditing. So we'll see what that reveals in a few hours...
Edit: or not. Apparently, my admin account doesn't have privileges to actually use the audit stuff, lol.
Yeah, you have to go in and add those permissions separately. Global admin is not global enough.
-
@wrx7m said in Office 365 Moving Emails to Deleted Items:
@dafyre said in Office 365 Moving Emails to Deleted Items:
Just to be safe though, I did turn on User auditing. So we'll see what that reveals in a few hours...
Edit: or not. Apparently, my admin account doesn't have privileges to actually use the audit stuff, lol.
Yeah, you have to go in and add those permissions separately. Global admin is not global enough.
Apparently so. But I see no signs of another user in their account.
-
@dbeato said in Office 365 Moving Emails to Deleted Items:
@dafyre said in Office 365 Moving Emails to Deleted Items:
e got a strange one... I have a user here whose Emails go from whatever folder they are in to the Deleted Items folder after being read... Sometimes. Sometimes it doesn't happen for several minutes, and other times it happens right away.
The user hasn't been phished that we can tell. No bogus rules in Outlook forwarding things to the deleted items. Check both Web and Outlook 2016.
What am I not looking at that could be causing this?They got hacked though
https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/
https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-accountSometimes the rule is a dot on the name....
I am assuming it's a hacked account, but we changed the password to a new one. I disconnected all of her sessions from Office 365.
Still happening. I see no rules with a dot in the name... or spaces or foreign characters. I see exactly the number of rules on my CLI as I do in Outlook and OWA.
-
@dafyre said in Office 365 Moving Emails to Deleted Items:
@dbeato said in Office 365 Moving Emails to Deleted Items:
@dafyre said in Office 365 Moving Emails to Deleted Items:
e got a strange one... I have a user here whose Emails go from whatever folder they are in to the Deleted Items folder after being read... Sometimes. Sometimes it doesn't happen for several minutes, and other times it happens right away.
The user hasn't been phished that we can tell. No bogus rules in Outlook forwarding things to the deleted items. Check both Web and Outlook 2016.
What am I not looking at that could be causing this?They got hacked though
https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/
https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-accountSometimes the rule is a dot on the name....
I am assuming it's a hacked account, but we changed the password to a new one. I disconnected all of her sessions from Office 365.
Still happening. I see no rules with a dot in the name... or spaces or foreign characters. I see exactly the number of rules on my CLI as I do in Outlook and OWA.
Can you clear them all ? Take a screenshot of the settings and then remove them and see what changes. The rules run autonomously and is not someone running them.
-
@dbeato said in Office 365 Moving Emails to Deleted Items:
@dafyre said in Office 365 Moving Emails to Deleted Items:
@dbeato said in Office 365 Moving Emails to Deleted Items:
@dafyre said in Office 365 Moving Emails to Deleted Items:
e got a strange one... I have a user here whose Emails go from whatever folder they are in to the Deleted Items folder after being read... Sometimes. Sometimes it doesn't happen for several minutes, and other times it happens right away.
The user hasn't been phished that we can tell. No bogus rules in Outlook forwarding things to the deleted items. Check both Web and Outlook 2016.
What am I not looking at that could be causing this?They got hacked though
https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/
https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-accountSometimes the rule is a dot on the name....
I am assuming it's a hacked account, but we changed the password to a new one. I disconnected all of her sessions from Office 365.
Still happening. I see no rules with a dot in the name... or spaces or foreign characters. I see exactly the number of rules on my CLI as I do in Outlook and OWA.
Can you clear them all ? Take a screenshot of the settings and then remove them and see what changes. The rules run autonomously and is not someone running them.
That's what we've done now. All of the rules are disabled. End-user is turning them back on one at a time now.